
WE CLAIM : 

1 1 . A method of implementing a security group within a network, the method 

2 comprising: 

3 receiving a packet; 

4 classifying the packet as having a security group designation selected from a 

5 plurality of security group designations, the security group designation associating a 

6 set of destinations and a set of sources authorized to access the set of destinations; and 

7 applying a security group tag to the packet which identifies the security group 

8 designation, the security group tag being applied in a field not reserved for virtual 

9 local area network information. 

1 2. The method of claim 1, wherein the security group tag is applied in a field 

2 reserved for layer one. 

1 3. The method of claim 1, wherein the security group tag is applied in a field 

2 reserved for layer two. 

14. A method of implementing a security group within a network, the method 

2 comprising: 

3 receiving a packet; 

4 classifying the packet as having a security group designation selected from a 

5 plurality of security group designations, the security group designation associating a 

6 set of destinations and a set of sources authorized to access the set of destinations; and 

7 applying a security group tag to the packet which identifies the security group 

8 designation, the security group tag being applied in a field reserved for security group 

9 information. 

1 5. The method of claim 4, wherein the security group tag is applied in a field 

2 reserved for layer one. 

1 6. The method of claim 4, wherein the security group tag is applied in a field 

2 reserved for layer two. 

1 7. A method for implementing a security group within a network, the method 

2 comprising: 

3 receiving a first packet; 

4 classifying the first packet as having a first security group designation selected 

5 from a plurality of security group designations, wherein the first security group 
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designation associates a first set of destinations and a first set of sources authorized to 
access the first set of destinations; and 

applying a first security group tag to the first packet which identifies the first 
security group designation, wherein the first security group tag is applied in a field 
reserved for layer three or higher and wherein the information in the field is not used 
in forwarding decisions by interswitch links. 

8. The method of claim 7, further comprising providing authentication 
information in the first packet. 

9. The method of claim 7, further comprising encrypting the first security group 
tag. 

1 0. The method of claim 7, further comprising: 
receiving a second packet; 

classifying the second packet as having a second security group designation 
selected from the plurality of security group designations, wherein the second security 
group associates a second set of destinations and a second set of sources authorized to 
access the second set of destinations; and 

applying a second security group tag to the packet which identifies the second 
security group designation. 

1 1 . The method of claim 7, wherein the receiving step comprises receiving the 
packet directly from a source node. 

12. The method of claim 7, wherein the classifying step comprises classifying the 
packet based on a source identity. 

13. The method of claim 7, wherein the classifying step comprises classifying the 
packet based on a payload content. 

14. The method of claim 7, further comprising: 

(a) receiving a second packet having a second security group tag identifying a 
particular security group within the enterprise network, wherein the second security 
group tag is provided in a field of the packet containing layer 3 or higher information, 
and wherein the field is not used in forwarding decisions by interswitch links; 

(b) based on the security group identified in the second security group tag, 
determining whether to transmit the second packet to its intended destination; and 
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(c) transmitting the second packet or denying transmission of the second 
packet to the intended destination based on the determination in (b). 

15. The method of claim 10, wherein the second set of sources comprises a source 
that is included in the first set of sources. 

16. The method of claim 10, wherein the second set of destinations comprises a 
destination that is included in the first set of destinations. 

17. The method of claim 12, wherein the source identity comprises a user identity. 

18. An apparatus for implementing a security group within a network, the 
apparatus comprising: 

means for receiving a first packet; 

means for classifying the first packet as having a first security group 
designation selected from a plurality of security group designations, wherein the first 
security group designation associates a first set of destinations and a first set of 
sources authorized to access the first set of destinations; and 

means for applying a first security group tag to the first packet which 
identifies the first security group designation, wherein the first security group tag is 
applied in a field reserved for layer three or higher and wherein the information in the 
field is not used in forwarding decisions by interswitch links. 

19. An apparatus for implementing a security group within a network, the 
apparatus comprising: 

a port for receiving a first packet; 

a processor for classifying the first packet as having a first security group 
designation selected from a plurality of security group designations, wherein the first 
security group designation associates a first set of destinations and a first set of 
sources authorized to access the first set of destinations; and 

an encoder for applying a first security group tag to the first packet which 
identifies the first security group designation, wherein the first security group tag is 
applied in a field reserved for layer three or higher and wherein the information in the 
field is not used in forwarding decisions by interswitch links. 

20. A computer program embodied in a computer-readable storage medium, the 
computer program comprising instructions which cause a computer to: 
receive a first packet; 
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4 classify the first packet as having a first security group designation selected 

5 from a plurality of security group designations, wherein the first security group 

6 designation associates a first set of destinations and a first set of sources authorized to 

7 access the first set of destinations; and 

8 apply a first security group tag to the first packet which identifies the first 

9 security group designation, wherein the first security group tag is applied in a field 

10 reserved for layer three or higher and wherein the information in the field is not used 

11 in forwarding decisions by interswitch links. 

1 21 . A method for implementing a security group within a network, the method 

2 comprising: 

3 receiving a packet; 

4 verifying a source of the packet; 

5 reading a destination address of the packet; 

6 reading a security group tag in a field of the packet reserved for layer three or 

7 higher; 

8 determining a first security group of the packet based on the security group 

9 tag, wherein the first security group is one of a plurality of security groups and 

10 wherein the first security group associates a first set of destination addresses and a 

1 1 first set of sources authorized to access the first set of destination addresses; and 

12 deciding, based upon the source and the first security group designation, 

13 whether to transmit the packet to the destination address. 

1 22. The method of claim 21, wherein the step of verifying the source of the packet 

2 comprises authenticating a source by analyzing authentication information in the 

3 packet. 

1 23. The method of claim 21 , wherein the step of verifying the source of the packet 

2 comprises authenticating a user by analyzing authentication information in the packet. 

1 24. The method of claim 21 , further comprising the step of decrypting the packet. 

1 25. The method of claim 21, wherein the first security group is a closed group. 

1 26. The method of claim 21, wherein the first security group is a partially 

2 overlapping group. 

3 27. The method of claim 2 1 , further comprising: 
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4 receiving a second packet; 

5 classifying the second packet as having a second security group designation 

6 selected from a plurality of security group designations, wherein the second security 

7 group designation associates a second set of destinations and a second set of sources 

8 authorized to access the second set of destinations; and 

9 applying a second security group tag to the second packet which identifies the 

1 0 second security group designation, wherein the second security group tag is applied in 

1 1 a field reserved for layer three or higher and wherein the information in the field is not 

12 used in forwarding decisions. 

1 28. The method of claim 21, further comprising the step of applying a policy to 

2 the packet based upon the first security group and the destination address, wherein the 

3 policy is selected from the group of actions consisting of: forwarding the packet; 

4 forwarding the packet and making a record of forwarding the packet; dropping the 

5 packet; dropping the packet and making a record of dropping the packet; and 

6 inspecting other fields of the packet to determine how to dispose of the packet. 

1 29. A computer program embodied in a computer-readable storage medium, the 

2 computer program comprising instructions which cause a computer to: 

3 receive a packet; 

4 verify a source of the packet; 

5 read a destination address of the packet; 

6 read a security group tag in a field of the packet reserved for layer three or 

7 higher; 

8 determine a first security group of the packet based on the security group tag, 

9 wherein the first security group is one of a plurality of security groups and wherein 

10 the first security group associates a first set of destination addresses and a first set of 

1 1 sources authorized to access the first set of destination addresses; and 

12 decide, based upon the source and the first security group designation, whether 

13 to transmit the packet to the destination address. 

1 30. An apparatus for implementing a security group within a network, the 

2 apparatus comprising: 

3 means for receiving a packet; 

4 means for verifying a source of the packet; 
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means for reading a destination address of the packet and for reading a 



6 security group tag in a field of the packet reserved for layer three or higher; and 



8 security group tag, wherein the first security group is one of a plurality of security 

9 groups and wherein the first security group associates a first set of destination 

10 addresses and a first set of sources authorized to access the first set of destination 

1 1 addresses and for deciding, based upon the source and the first security group 

12 designation, whether to transmit the packet to the destination address. 

1 31. An apparatus for implementing a security group within a network, the 

2 apparatus comprising: 

3 a port for receiving a packet; and 

4 a processor for: 

5 verifying a source of the packet; 

6 reading a destination address of the packet; 

7 reading a security group tag in a field of the packet reserved for layer 

8 three or higher; 

9 determining a first security group of tl^e packet based on the security 

10 group tag, wherein the first security group is one of a plurality of security 

1 1 groups and wherein the first security group associates a first set of destination 

12 addresses and a first set of sources authorized to access the first set of 

13 destination addresses and 

14 deciding, based upon the source and the first security group 

15 designation, whether to transmit the packet to the destination address. 

1 32. A method of implementing a security group in an enterprise network having a 

2 plurality of security groups, wherein the security groups each include multiple 

3 network nodes within the enterprise network, and wherein the network nodes within a 

4 security group are subject to rules governing which network nodes they can 

5 communicate with, the method comprising: 

6 (a) receiving a packet having a security group tag identifying a particular 

7 security group within the enterprise network, wherein the security group tag is 

8 provided in a field of the packet containing layer 3 or higher information, and wherein 

9 the field is not used in forwarding decisions; 



means for determining a first security group of the packet based on the 
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10 (b) based on the security group identified in the security group tag, 

1 1 determining whether to transmit the packet to its intended destination; and 

12 (c) transmitting the packet or denying transmission or delaying transmission of 

13 the packet to the intended destination based on the determination in (b). 

1 33. The method of claim 32, wherein the method is implemented on a router. 

1 34. The method of claim 32, wherein (c) comprises transmitting the packet only if 

2 the security group tag has a specified value. 

1 35. The method of claim 32, wherein the router: 

2 (i) resides in a local area network (LAN) of a multi-LAN enterprise network, 

3 and 

4 (ii) physically connects, directly, to a host. 

1 36. The method of claim 32, further comprising the step of applying a policy to 

2 the packet based upon the security group and the intended destination, wherein the 

3 policy is selected from the group of actions consisting of: forwarding the packet; 

4 forwarding the packet and making a record of forwarding the packet; dropping the 

5 packet; dropping the packet and making a record of dropping the packet; and 

6 inspecting other fields of the packet to determine how to dispose of the packet. 

1 37. The method of claim 34, wherein (c) effects a level of service constraint, and 

2 wherein different security groups correspond to different levels of service. 

1 38. A computer program embodied in a computer-readable storage medium for 

2 implementing a security group in an enterprise network having a plurality of security 

3 groups, wherein the security groups each include multiple network nodes within the 

4 enterprise network, and wherein the network nodes within a security group are subject 

5 to rules governing which network nodes they can communicate with, the computer 

6 program comprising instructions which cause a computer to: 

7 (a) receive a packet having a security group tag identifying a particular 

8 security group within the enterprise network, wherein the security group tag is 

9 provided in a field of the packet containing layer 3 or higher information, and wherein 

10 the field is not used in forwarding decisions; 

1 1 (b) based on the security group identified in the security group tag, determine 

12 whether to transmit the packet to its intended destination; and 
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1 3 (c) transmit the packet or deny transmission or delay transmission of the 

14 packet to the intended destination, based on the determination in (b). 

1 39. The computer program of claim 38, wherein the computer program is 

2 implemented on a router. 

1 40. The computer program of claim 38, wherein (c) comprises transmitting the 

2 packet only if the security group tag has a specified value. 

1 41 . The computer program of claim 38, wherein the router: 

2 (i) resides in a local area network (LAN) of a multi-LAN enterprise network, 

3 and 

4 (ii) physically connects, directly, to a host. 

1 42. The computer program of claim 40, wherein (c) effects a level of service 

2 constraint and wherein different security groups correspond to different levels of 

3 service. 

i 
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